Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Intune Extension HTTP Computed Attributes

This thread has been viewed 71 times

  • 1.  ClearPass Intune Extension HTTP Computed Attributes

    MVP
    Posted Oct 29, 2021 09:32 AM
    Hi everyone,

    I have several clients, which are deployed the same way, but when in the access tracker some clients have the computed attributes from Endpoint Database and some not:

    Client1:

    Client2:


    Any ideas why some clients doesn´t fetch the computed attributes from the endpoint database?

    ------------------------------
    Matthias Pohl
    ------------------------------


  • 2.  RE: ClearPass Intune Extension HTTP Computed Attributes

    Posted Nov 02, 2021 08:48 AM
    Hi Matthias,

    Can you please check if the device is connecting using the same mac-address that was used for enrolling via Intunes ?

    If devices are connecting using random mac-address, endpoint database would not list the intune attributes for it since Intunes doesn't have any information on this device

    ------------------------------
    Nitesh Singla
    ------------------------------

    Original Message


  • 3.  RE: ClearPass Intune Extension HTTP Computed Attributes

    Posted Nov 02, 2021 09:28 AM
    Hi Nitesh,

    I am experiencing similar issues where the device is listed in the endpoint databases with 2-3 MAC addresses.
    For instance:

    AA-AA-AA-AA-AA-6D       (Unknown client, empty attributes)
    AA-AA-AA-AA-AA-6E        (Incorrect one with outdated information from Intune with attributes)
    AA-AA-AA-AA-AA-6F       (Correct one with updated information from Intune with attributes)

    This device connects to the Wifi and request sent to ClearPass, ClearPass retrieves information from the lowest MAC address:
    AA-AA-AA-AA-AA-6D

    No attributes from Intune is found in the request.

    Any idea why this is happening? A separate team is working with Intune so they need to assist if this is an issue from Intune.

    ------------------------------
    Rikard Berg
    ------------------------------

    Original Message


  • 4.  RE: ClearPass Intune Extension HTTP Computed Attributes

    Posted Nov 08, 2021 01:02 AM
    I find the Graph API reports the wrong MAC address for about a week after initial enrolment, then the correct one comes through. Good luck getting Microsoft support to acknowledge this problem, since by the time I've gotten to a support agent it's usually fixed itself.

    ------------------------------
    James Andrewartha
    ------------------------------

    Original Message


  • 5.  RE: ClearPass Intune Extension HTTP Computed Attributes

    MVP
    Posted Nov 02, 2021 10:27 AM
    Hi Nitesh,

    the MAC address in CPPM is similar to the MAC address in Intune.

    Kind regards,
    Matthias

    ------------------------------
    Matthias Pohl
    ------------------------------

    Original Message


  • 6.  RE: ClearPass Intune Extension HTTP Computed Attributes

    EMPLOYEE
    Posted Nov 03, 2021 01:05 PM
    This might be because there are optimizations in the service processing. If attributes are not used during role-mapping, or during enforcement, they may not be pulled from the authorization source as their values would not have any effect in the enforcement.

    What you may try is to do a role mapping like: Endpoint:Intune Device Enrollment Type EXISTS -> assign a dummy role; or if you now do checking in the enforcement, move that to role-mapping and in enforcement check the role instead of the actual attribute.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: ClearPass Intune Extension HTTP Computed Attributes

    MVP
    Posted Dec 01, 2021 10:42 AM
    Hi sorry for the late response... Quite hard to troubleshoot when everbody is in home office...

    Another finding: the clients with the missing attributes from the endpoint database show Local:localhost as Authentication source. The other clients show [Endpoints Repository] as Authentication source.


    ------------------------------
    Matthias Pohl
    ------------------------------

    Original Message


  • 8.  RE: ClearPass Intune Extension HTTP Computed Attributes

    MVP
    Posted Dec 02, 2021 10:11 AM
    Hi Nitesh,

    any idea, how I can solve the following problem:

    I´ve enrolled the client to Intune using the WifiMAC. So in Intune the WifiMAC-Field is filled with the WifiMAC. The Ethernet-Field is also filled with the WifiMAC: "The primary Ethernet MAC address for the device. For macOS devices with no ethernet, the device will report the Wi-Fi MAC address."

    I can connect to our Wirless Network without problems. But now I want to connect this client to our LAN. I´ve configured the service for Intune, but now the client connects using the Ethernet MAC and Intune reports:
    The endpoint with the MAC Address xx-xx-xx-xx-xx-xx does not have an "Intune ID". This is expected, as in Intune the WifiMAC is stored, but I have no idea how to update Intune with the Ethernet-MAC... In ClearPass I have two device (same hostname, different MACs) The device with the WiFi MAC has the Intune Attribute, the device with the Ethernet MAC not. This expected, I have no idea how to authenticate my wired Device using Intune as AuthSource....

    ------------------------------
    Matthias Pohl
    ------------------------------

    Original Message


  • 9.  RE: ClearPass Intune Extension HTTP Computed Attributes

    Posted Dec 03, 2021 08:14 AM
    Hi Matthias,

    You can search tipsdb directly for "Intune ID" value for your device which is connecting to LAN if you have any value in Radius Request or Computed Attributes (when connecting to LAN) that match any attribute already stored in Endpoint Attributes for device with wifiMAC.

    For example: if "Intune Device Name" attribute of endpoint with wifiMAC = Authentication:Full-Username when connect to LAN (computed attribute in access tracker input request).

    Then:
    1) Create new Authentication Source (Generic SQL DB) ant write sql query filter:

    2) Enable Authorization in Service and use this new Auth source as Additional authorization sources. Now you should see additional Authorization Attributes value - Intune ID, found in tipsdb, according to connection  Authentication:Full-Username:

    3) Use this value "Intune ID" to directly call Intune Extension. I was unable to make it work in one authentication. As workaround, I had to write this "Intune ID" value as attribute to Endpoint with LAN MAC as for example "My_Intune_ID" with Enforcement profile. With the next Endpoint connection I use "My_Intune_ID" value to call Intune Extension.

    4) To call Intune Extension with "My_Intune_ID" value, you have to create new http Auth source as follow:And of course add this source as Additional authorization sources in Service configuration.

    Now you should successfully authenticate LAN connections with Intune.
    You can manipulate which attributes you want compare during sql query. It can be some Certificate fields, if you use EAP-TLS. And if you have "Intune ID" in your certificate, you can modify intune auth source to call Intune Extension directly using for example %{Certificate:Subject-AltName-IntuneID}.

    Hope it will help!




    ------------------------------
    Kestutis Virsilas
    ------------------------------

    Original Message


  • 10.  RE: ClearPass Intune Extension HTTP Computed Attributes

    MVP
    Posted Dec 06, 2021 03:46 AM
    Hi Kestutis,

    thx a lot for your reply. Could you please help me with the Enforcement Profile you use (as described in step 3).

    Kind regards,
    Matthias

    ------------------------------
    Matthias Pohl
    ------------------------------

    Original Message


  • 11.  RE: ClearPass Intune Extension HTTP Computed Attributes

    Posted Dec 06, 2021 06:24 AM
    Go to Administration>Dictionary Attributes. Click "Add" an create Endpoint attribute of type "String":

    Then create new post authentication Enforcement Profile (You can make a copy of default [Update Endpoint Known] and edit it).
    Type: Endpoint, Name: {select My_Intune_ID from dropdown}, Value: %{Authorization:Endpoint_Repository_Query_for_IntuneID:Intune ID Query}

    Then use this Enforcement Profile in Enforcement Policy logic.
    Keep in mind, when Intune Auth source will not find the Intune ID value, this enforcement will create Attribute with the value of the variable definition itself "%{Authorization:Endpoint_Repository_Query_for_IntuneID:Intune ID Query}". So you have to think the logic, when to write or update "My_Intune_ID attribute value (for example, when it is empty or contains "Authorization"). And maybe compare it to value, that is returned from Intune Auth source to be sure it is the same device.

    Regards,

    ------------------------------
    Kestutis Virsilas
    ------------------------------

    Original Message